Hi,

I'm planning to create a login window where I can enter a username and password in visual basic 6. In this window, there are also options to create and change password. Can you help on how to do this? And also, how will the passwords be protected from other people who are not authorized to access? Thank you.

There's never a 100% secure solution.

First, do not store password in plain text. Use some hash function to calculate hashed value of the password and store this hashed value. Some methods are MD5, SHA1 or simple CRC32 etc. You'll find sample code with Google. So when the user gives his/her password, you calculate hash and compare calculated hash with the stored hash value, not the password itself.

Second, where to store hashed passwords? Do you use some database to store them? If you have only one user who's allowed to access, you can store hashed password in registry. Of course, it can be removed from there. Another solution, and quite feasible today, is to store it in a file in USB memory stick. Then user requires both USB stick and the USB stick must contain hashed password in a file.

I won't give here the actual code for password prompt dialog and password change dialog. They are quite straightforward to implement, but I'll give help with them if needed.

Try it.

Thanks for the attached file. Actually, I have that file already. In this file, isn't you can only change the password by changing it to the registry? What I want to know is how to change it during run time. For example, I want to add a command button which function is to change the password.

There's never a 100% secure solution.

First, do not store password in plain text. Use some hash function to calculate hashed value of the password and store this hashed value. Some methods are MD5, SHA1 or simple CRC32 etc. You'll find sample code with Google. So when the user gives his/her password, you calculate hash and compare calculated hash with the stored hash value, not the password itself.

Second, where to store hashed passwords? Do you use some database to store them? If you have only one user who's allowed to access, you can store hashed password in registry. Of course, it can be removed from there. Another solution, and quite feasible today, is to store it in a file in USB memory stick. Then user requires both USB stick and the USB stick must contain hashed password in a file.

I won't give here the actual code for password prompt dialog and password change dialog. They are quite straightforward to implement, but I'll give help with them if needed.

I'm quite confuse to the hash function you mention. Please give me specific example on how to do this? Thank you

Ok. I've ripped this partly from my app which is written in VB.NET not VB6 and the rest is sort of "pseudo code". So, you'll need in VB6 a) MD5-funtion and b) a way to convert string to bytes. You'll find VB6 code for that with Google (I did some 10 yrs ago ;)

First, user enters initial password:

Imports System.Security.Cryptography

Private Sub CalculateMD5(ByVal BytesIn() As Byte, ByRef ResultMD5() As Byte)
  '
  ' Calculate MD5 for bytes
  Dim ProvMD5 As MD5

  Try
    ProvMD5 = MD5CryptoServiceProvider.Create()
    ProvMD5.Initialize()
    ResultMD5 = ProvMD5.ComputeHash(BytesIn)
    ProvMD5.Clear()
  Catch ex As Exception
    ' Handle error
  End Try

End Sub

Private Function MD5ToString(ByVal BytesIn() As Byte) As String
  '
  ' Return MD5 as a hex string
  Dim UBits As Integer
  Dim LBits As Integer
  Dim TempStr As String
  Dim i As Integer

  Try
    TempStr = ""
    For i = 0 To BytesIn.GetUpperBound(0)
      UBits = (BytesIn(i) And 240) >> 4
      LBits = (BytesIn(i) And 15)
      TempStr = TempStr & String.Format("{0:x}", UBits)
      TempStr = TempStr & String.Format("{0:x}", LBits)
    Next i
    Return TempStr
  Catch ex As Exception
    ' Handle error
    Return ""
  End Try

End Function

Get a password from the user, calculate hash and store hash.

Imports System.Text

Dim StringData As String
Dim ByteData() as Byte
Dim ResultHash() As Byte
Dim HashedPwString As String

' Get password to StringData and convert to bytes
ByteData = Encoding.Default.GetBytes(StringData)
' Hash it
CalculateMD5(ByteData, ResultHash)
' Make a string from bytes, you could use also Encoding.Default.GetString()
HashedPwString = MD5ToString(ResultHash)
' Now, store HashedPwString to somewhere!

How to compare hashes:
Use the same code as above to (prompt password) and calculate HashedPwString from it. Then compare:

Dim StoredHash As String
' Read StoredHash from somewhere
If HashedPwString = StoredHash Then
  ' Yes the passwords are the same
Else
  ' No match, kindly tell the user to re-enter password. Or just kick him out
End If

Here's a one MD5 code (in VB6) http://www.di-mgt.com.au/crypto.html#MD5 but I haven't tried it myself. That code seems(?) to get strings as parameter so you do not need string->byte->string conversions. Just rewrite CalculateMD5() with the VB6 code (from that link).

BTW. If you use VB.NET, you can change MD5 -> SHA1 and get a slightly better hashes.

Ok. I've ripped this partly from my app which is written in VB.NET not VB6 and the rest is sort of "pseudo code". So, you'll need in VB6 a) MD5-funtion and b) a way to convert string to bytes. You'll find VB6 code for that with Google (I did some 10 yrs ago ;)

First, user enters initial password:

Imports System.Security.Cryptography

Private Sub CalculateMD5(ByVal BytesIn() As Byte, ByRef ResultMD5() As Byte)
  '
  ' Calculate MD5 for bytes
  Dim ProvMD5 As MD5

  Try
    ProvMD5 = MD5CryptoServiceProvider.Create()
    ProvMD5.Initialize()
    ResultMD5 = ProvMD5.ComputeHash(BytesIn)
    ProvMD5.Clear()
  Catch ex As Exception
    ' Handle error
  End Try

End Sub

Private Function MD5ToString(ByVal BytesIn() As Byte) As String
  '
  ' Return MD5 as a hex string
  Dim UBits As Integer
  Dim LBits As Integer
  Dim TempStr As String
  Dim i As Integer

  Try
    TempStr = ""
    For i = 0 To BytesIn.GetUpperBound(0)
      UBits = (BytesIn(i) And 240) >> 4
      LBits = (BytesIn(i) And 15)
      TempStr = TempStr & String.Format("{0:x}", UBits)
      TempStr = TempStr & String.Format("{0:x}", LBits)
    Next i
    Return TempStr
  Catch ex As Exception
    ' Handle error
    Return ""
  End Try

End Function

Get a password from the user, calculate hash and store hash.

Imports System.Text

Dim StringData As String
Dim ByteData() as Byte
Dim ResultHash() As Byte
Dim HashedPwString As String

' Get password to StringData and convert to bytes
ByteData = Encoding.Default.GetBytes(StringData)
' Hash it
CalculateMD5(ByteData, ResultHash)
' Make a string from bytes, you could use also Encoding.Default.GetString()
HashedPwString = MD5ToString(ResultHash)
' Now, store HashedPwString to somewhere!

How to compare hashes:
Use the same code as above to (prompt password) and calculate HashedPwString from it. Then compare:

Dim StoredHash As String
' Read StoredHash from somewhere
If HashedPwString = StoredHash Then
  ' Yes the passwords are the same
Else
  ' No match, kindly tell the user to re-enter password. Or just kick him out
End If

Here's a one MD5 code (in VB6) http://www.di-mgt.com.au/crypto.html#MD5 but I haven't tried it myself. That code seems(?) to get strings as parameter so you do not need string->byte->string conversions. Just rewrite CalculateMD5() with the VB6 code (from that link).

BTW. If you use VB.NET, you can change MD5 -> SHA1 and get a slightly better hashes.

Thank you for the information :) Actually, I'm not familiar yet in VB.net that's why I only ask on VB6. Maybe I'll just study on how to use VB.net so I can use the codes you gave to me. How can I have VB.net?

Actually you can do it with VB6 (I did a long time ago). All you need is that MD5 algorithm written in VB6, for which I gave a link. VB.NET has these things "built-in" ie. they are part of .NET Framework.

If you want to go for VB.NET, there are free Express Editions (EE) for learning purposes. VB.NET 2005 can be downloaded from http://www.microsoft.com/express/2005/ and it comes with SQL Server 2005 Express Edition. There's also EEs for C# etc.

VB.NET 2005 EE works with .NET Framework 2.0. Latest .NET Framework is 3.5 and if you want to jump straight to it, download VB.NET 2008. 3.5 contains a lot more bells and whistles. I still stick with 2.0 because I have a large code base written for it and I don't currently have time to learn new things that come with 3.5 and VB.NET 2008.

There are a few restrictions with EEs compared to the commercial Visual Studio products. For example, you may not use EE for compiling commercial products. So read the End User License Agreement carefully, but you would do that anyway, wouldn't you :D

:-/hey could i have some help on my vb6 program i need some coding for enter password
in textbox press enter button then it lets me show form 5

Comments
User added a new question to a four years old thread
This article has been dead for over six months. Start a new discussion instead.